Poland Busts Teen DDoS-for-Hire Ring — Youngest Suspect Was 12
Seven minors. Ages 12 to 16. A coordinated DDoS operation spanning four Polish regions, complete with handwritten records, a ledger tracking payments, and a network of attack infrastructure seized from their bedrooms.
Poland’s Central Bureau for Combating Cybercrime (CBZC) has identified seven suspects in what amounts to a functioning cybercrime business run entirely by children. The operation wasn’t a prank or a dare — it was profit-driven, professionally organized, and aimed at real targets including auction platforms, sales portals, IT infrastructure providers, and accommodation booking services.
How It Started
Investigators traced the case back to a 14-year-old from the Masovian Voivodeship — identified as the administrator of tools used to carry out distributed denial-of-service attacks. From there, the investigation expanded across four regions: Masovian, Lublin, Łódź, and Greater Poland.
The raids turned up exactly what you’d expect from an operation this organized: mobile phones, computers, hard drives, storage devices — and things you might not expect from suspects this young: a physical ledger and handwritten records of transactions.
These kids were keeping books.
“Due to the age of the suspects, the materials from the activities carried out will be forwarded to the locally competent family courts, which will decide on the fate of the minors,” the CBZC said in its announcement.
What They Actually Built
This wasn’t a group of kids downloading someone else’s attack tool and pointing it at a school website. Evidence shows the suspects knew each other, maintained regular contact, and cooperated in administering and using the tools — language that describes a structured criminal organization, not a handful of bored teenagers.
The operation had:
- Attack infrastructure distributed across multiple suspects’ homes
- Shared administration of DDoS tools
- Paying customers — the attacks were offered as a service
- Financial records tracking earnings
- Coordinated targeting of commercial platforms
The targets — auction sites, hosting services, booking platforms — weren’t chosen randomly. These are businesses with measurable uptime dependencies and clear financial incentive to pay to make an attack stop or to knock out a competitor. Classic booter/stresser market targeting.
The DDoS-for-Hire Market Is Absurdly Accessible
The uncomfortable truth behind cases like this is how easy it has become to enter the DDoS-for-hire ecosystem. What was once the domain of sophisticated threat actors has become a commodity market with a low floor for entry.
Commercial stresser and booter services — which rent out DDoS capacity by the hour or by attack volume — proliferate across Telegram, dark web forums, and even surface web storefronts. Pricing starts at a few dollars per attack. Source code for botnets like Mirai has been publicly available since 2016, meaning anyone with basic Linux skills can set up attack infrastructure.
The CBZC did not specify which tools the suspects used or whether they operated their own infrastructure or resold capacity from a larger botnet. Given the suspects’ ages and the distributed nature of the operation, either scenario is plausible.
What’s clear is that the operational barrier is low enough that a 12-year-old can clear it.
What Happens to Them Now
Here’s where the Polish legal system diverges sharply from what would happen in the UK or US.
In Poland, criminal responsibility begins at age 17 for most offenses. Below that threshold, cases are handled by family courts (sądy rodzinne) under the Act on Juvenile Proceedings rather than criminal courts. Family courts can impose educational measures, supervisory orders, or placement in a correctional facility — but not criminal conviction or adult sentencing.
The CBZC confirmed this: the case materials will go to locally competent family courts.
Compare this to other jurisdictions:
United Kingdom: The NCA has pursued teens as young as 15 for DDoS offenses under the Computer Misuse Act 1990. In 2023, a 17-year-old member of the Lapsus$ group received an 18-month detention order. The UK has been notably aggressive in pursuing juvenile cybercriminals through the courts rather than diverting to welfare frameworks.
United States: The DOJ has charged minors for computer fraud offenses, though outcomes vary widely by state and federal jurisdiction. Operation PowerOFF — a multi-agency crackdown on booter services — resulted in arrests and seizures but has so far focused on adults. The FBI’s “Teenage and Young Adult Cyber Program” attempts intervention before charges, but serious cases proceed to prosecution.
Poland’s approach means none of these seven will have criminal records. Whether that’s proportionate to running a for-profit attack service that targeted real businesses depends on your perspective — but it’s the law as written.
The CBZC Track Record
Poland’s Central Bureau for Combating Cybercrime was established in 2022 as a dedicated unit within the Polish Police, specifically tasked with complex cybercrime investigations. Since then it has handled ransomware cases, fraud networks, and now this — a juvenile DDoS operation that demonstrates the bureau is casting a wide net.
The fact that investigators were able to identify a 14-year-old administrator, trace connections to six other suspects across four voivodeships, and execute coordinated operations across all of them simultaneously suggests a reasonably sophisticated investigative capability. DDoS attribution is not trivial — payment flows, infrastructure registration, and operational security mistakes are typically what give these operators away.
In this case, the handwritten ledger and physical records at the suspects’ homes suggest the crew was not particularly focused on their own security.
The Broader Pattern: Teens Are Being Recruited Into Cybercrime Earlier
This case is not an anomaly. It’s a data point in an accelerating trend.
The cyber threat landscape increasingly features juvenile actors — sometimes recruited deliberately by adult criminal organizations who understand that minors face lighter legal consequences, sometimes self-organizing through gaming communities, Discord servers, and Telegram groups where hacking tools are shared freely.
Recent examples:
- Lapsus$ (UK/Brazil, 2021–2022): A ransomware and extortion group whose core members included a 16-year-old in Oxford who went on to breach Microsoft, Nvidia, Samsung, and Uber before arrest.
- ViLE (US, 2023): Two men — one a minor — convicted of a SIM-swapping and doxxing operation targeting federal agents and their families.
- Scattered Spider (US/UK, 2022–2023): A loosely affiliated group responsible for attacks on MGM Resorts and Caesars Entertainment with members as young as 19; recruitment reportedly targeted teens on Telegram.
The pattern is consistent: low entry cost, peer networks that normalize the activity, platforms that make attack infrastructure trivially accessible, and legal frameworks that treat juvenile offenders more leniently — creating a perceived risk-reward calculation that makes sense to a 14-year-old running a DDoS-for-hire side hustle from his bedroom in Warsaw.
The Ledger Detail Matters
One thing worth not glossing over: they kept a ledger.
Handwritten financial records of a criminal operation suggest a level of business-mindedness that goes beyond opportunistic script kiddie behavior. Someone in this group — possibly the 14-year-old identified as the administrator — was tracking revenue, probably tracking customers, and treating this as an ongoing enterprise.
That’s not just a cybercrime story. That’s a story about what happens when the tools of cybercrime become accessible enough that a motivated teenager with entrepreneurial instincts can build a functioning attack service before they’re old enough to drive.
The family courts will decide what comes next for these seven. Whatever the outcome, the infrastructure is gone, the ledger is in an evidence room, and the CBZC has demonstrated that it’s watching the younger end of the threat actor pipeline too.
Follow Breached Company for updates as this case develops through the Polish family court system.
